I think that passphrases are very useful in creating strong passwords. However, a person would have to do a couple of things to get them to the level of a strong, 20+ character password, using punctuation, capitals, numbers, and whatnot.

The main thing is that they would have to make sure that it would be easy for them to remember, but not something that people would be able to guess. If your passphrase is your favorite quote, and you also put your favorite quote on the front of your Myspace page, it reduces it's security greatly.

The other thing that you would need to do would be to make it so that brute-force, dictionary, and other attacks won't work. If you use a long enough passphrase, with enough special characters, then your password is essentially safe from brute-force and dictionary. A good way to do this would be to leet-speakify the passphrase, but with some other random characters that aren't necessarily leet-speak- just to be on the safe side .

We did not invent the algorithm. The algorithm consistently finds Jesus. The algorithm killed Jeeves. The algorithm is banned in China. The algorithm is from Jersey. The algorithm constantly finds Jesus.This is not the algorithm. This is close.

I think passphrases are a good idea. Requiring a passphrase forces people thattend to choose weaker passwords to choose better passwords without reallythinking about it. I'd say most passwords are upper/lower letters and numbers 6to 10 chars long.

A user is probably more likely to come up with something like "M0onUn1t"instead of "8KdyP5t0lQgg". From a purely brute force perspective "M0onUn1t" mayseem reasonable at over 218 trillion combinations before you're guaranteed tocrack it.

...but "M0onUn1t" is equal to the two word passphrase "moon unit" with theright dictionary. Let's take that dictionary of 40000 common words and includel33t-sp34k variations. Say this dictionary is now maybe 65000 entries or even80000.

That same user could be asked to create a passphrase with this advice instead:"Create a passphrase at least 8 words long. Memorize it." The user might comeup with something like "lol frank zappa named a kid moon unit"... the bareminimum. Brute forcing a string that long would be tough:

Yeah that last post just alerted me of how weak my passwords may be. I remember the days when my password used to be just six numbers. Pass-phrases sound like a good idea but only if the user doesnt get into the habit of letting the computer remember the passwords for them because then they wouldnt remember what they are.

part of the onus should be on the logon developer.. failed attempt blocks, captchas, password strength meters and rules) should all be standard. And let's be brutally honest about brute force and password cracking.. i think that accounts for a small fraction of the password theft... where Phishing & Loggers and other methods seem to be the primary modus operandi to get someones account, after that.. subverting the logon process altogether... cracking and brute force are... to me atleast.. a last resort option. That being said.. from the standpoint of a new user.. I think passwords are better... they can use a more complex set of characters up to 14 characters in length (refer to research as to how human brains store bits of information and why telephone numbers are 7/10 digits, bank accounts are 10 digits and so on) and muscle memory from the repetition of typing it.... I think allows people to set something like IAm2S3xy4U! and be able to memorize it.. type it quickly and efficiently..

I don't think I really had a point to this reply... I'm just typing now... hrmm..

sanddbox wrote:People would...probably...be more likely write down a passphrase (assuming it wasn't a quote or "1 2 3 4").

At the very least the passphrase might be something visible from the users position. Assuming I had to make a passphrase right now I'd look around my office... where I have a tendency to save the cool fortune cookie fortunes I get when I order Chinese.. I have several taped to my monitor.. like "It is better to be happy than wise", "A day is a span of time no one is wealthy enough to waste", and "You will soon have the opportunity to improve your finances." The 3rd has not yet happened.

I do find in my workplace, as we strictly enforce a secure password policy.. 9/10 users have their password written down, many in plain site.. because.. the average user is blatantly lazy. Yellow sticky note on the monitor. My boss.. feels he is clever, his is under the keyboard.

But the written down password or passphrase only assists in on location theft. Unless you are Lord Nikon.